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Abstract 

We  show  a  reduction  to  propositional  logic  from  a  Boolean  combination  of  inequalities  of  the 
form  Vi  >  v j  +  c  and  Vi  >  v}-  +  c,  where  c  is  a  constant  and  Vi,Vj  are  variables  of  type  real 
or  integer.  Equalities  and  uninterpreted  functions  can  be  expressed  in  this  logic  as  well.  We 
discuss  the  advantages  of  using  this  reduction  as  compared  to  competing  methods,  and  present 
experimental  results  that  support  our  claims. 
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1  Introduction 


Recent  advances  in  SAT  solving  make  it  worthwhile  to  try  and  reduce  hard  decision 
problems,  that  were  so  far  solved  by  designated  algorithms,  to  the  problem  of  deciding 
a  propositional  formula.  Modern  SAT  solvers  can  frequently  decide  formulas  with  hun¬ 
dreds  of  thousands  of  variables  in  a  short  amount  of  time.  They  are  used  for  solving  a  va¬ 
riety  of  problems  such  as  AI  planning.  Automatic  Test  Pattern  Generation  (ATPG)[21], 
Bounded  Model  Checking[4],  and  more.  In  this  paper  we  show  such  a  reduction  to  SAT 
from  a  theory  of  separation  predicates1,  i.e.,  formulas  that  contain  the  standard  Boolean 
connectives,  as  well  as  predicates  of  the  form  Vi  t >Vj+c  where  t>  £  {>,>},  c  is  a  con¬ 
stant,  and  Vi,  Vj  are  variables  of  type  real  or  integer.  The  other  inequality  signs  as 
well  as  equalities  can  be  expressed  in  this  logic.  Uninterpreted  functions  can  be  handled 
as  well  since  they  can  be  reduced  to  Boolean  combinations  of  equalities  [1]. 

Separation  predicates  are  used  in  verification  of  timed  systems,  scheduling  prob¬ 
lems,  and  more.  Hardware  models  with  ordered  data  structures  have  inequalities  as 
well.  For  example,  if  the  model  contains  a  queue  of  unbounded  length,  the  test  for 
head  <  tail  introduces  inequalities.  In  fact,  most  inequalities  in  verification  condi¬ 
tions,  Pratt  observed  [17],  are  of  this  form.  Furthermore,  since  theorem  pro  vers  can 
decide  mixed  theories  (by  invoking  an  appropriate  decision  procedure  for  each  logic 
fragment[20]),  restricting  our  attention  to  separation  predicates  does  not  mean  that  it 
is  helpful  only  for  pure  combinations  of  these  predicates.  Rather  it  means  that  the  new 
decision  procedure  can  shorten  the  verification  time  of  any  formula  that  contains  a  sig¬ 
nificant  number  of  these  predicates. 

The  reduction  to  SAT  we  suggest  is  based  on  two  steps.  First,  we  encode  the  sepa¬ 
ration  predicates  as  new  Boolean  variables.  Second,  we  add  constraints  on  these  vari¬ 
ables,  based  on  an  analysis  of  the  transitivity  of  the  original  predicates.  The  idea  of 
Boolean  encoding  of  predicates  in  this  context  was  introduced  by  Goel  et  al.  [13]  for 
deciding  equality  logic,  although  they  did  not  compensate  for  the  lost  transitivity  by 
adding  constraints.  They  encode  each  equality  predicate  i  =  j  with  a  new  Boolean 
variable  e*j,  and  compute  the  BDD  corresponding  to  the  resulting  Boolean  formula. 
Then,  they  search  the  BDD  for  a  consistent  path  leading  to  ‘1’,  i.e.,  an  assignment  to 
the  eij  variables  that  is  consistent  with  the  transitivity  requirements  of  equality  (e.g., 
an  assignment  e ij  =  ejj.  =  1,  e**  =  0  is  inconsistent  because  it  does  not  respect  the 
transitivity  requirement  of  the  corresponding  equality  predicates).  The  original  formula 
is  satisfiable  if  and  only  if  such  a  path  is  found.  Bryant  et  al.  [6]  later  suggested  to  avoid 
the  search  phase  (which  is  worst-case  exponential)  by  explicitly  adding  the  transitivity 
constraints  to  the  formula.  The  equality  predicates  can  be  represented  as  an  undirected 
graph,  where  the  nodes  are  the  variables,  and  there  is  an  edge  between  two  nodes  i  and 
j  if  and  only  if  there  is  a  predicate  i  =  j  in  the  formula.  Transitivity  of  equality  forbids 
an  assignment  in  which  all  edges  of  a  cycle  except  one  are  assigned  TRUE.  Thus,  it  is 
sufficient  to  add  such  a  constraint  for  each  simple  cycle  in  the  graph.  The  current  work 


1  The  term  separation  predicates  is  adopted  from  Pratt[17],  who  considered  ‘separation  theory’, 
a  more  restricted  case  in  which  all  the  constraints  are  of  the  form  Vi  <  Vj  +  c,  and  conjunction 
is  the  only  Boolean  operator  allowed.  This  logic  is  also  known  as  ‘difference  logic’. 
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can  be  seen  as  a  natural  extension  of  [6]  to  the  more  general  segment  of  logic,  namely 
a  logic  of  separation  predicates. 

The  rest  of  the  paper  is  organized  as  follows.  In  the  next  section  we  briefly  sur¬ 
vey  some  existing  methods  for  deciding  separation  predicates  and  discuss  the  principle 
differences  between  these  methods  and  SAT.  We  describe  our  method  in  sections  3  to 
5:  in  Section  3  we  present  our  basic  graph-based  decision  procedure.  In  Section  4  we 
show  how  triangulating  the  graph  can  reduce  the  complexity  of  the  procedure  in  some 
interesting  cases  (while  making  it  more  complex  in  others).  In  Section  5  we  extend  the 
procedure  to  handle  integers  .  We  conclude  in  Section  6  by  comparing  run-times  of 
the  suggested  method  and  the  theorem  prover  ICS[1 1, 12],  when  applied  to  a  variety  of 
realistic  examples  from  hardware  designs  and  timed  systems. 


2  SAT  vs.  other  decision  procedures 

There  are  many  methods  for  deciding  a  formula  consisting  of  a  conjunction  of  separa¬ 
tion  predicates.  For  example,  a  known  graph-based  decision  procedure  for  this  type  of 
formulas  (frequently  attributed  to  Bellman,  1957)  works  as  follows:  given  a  conjunction 
of  separation  predicates  ip,  it  constructs  a  constraints  graph ,  which  is  a  directed  graph 
G(V,  E)  in  which  the  set  of  nodes  is  equal  to  the  set  of  variables  in  p,  and  node  Vi  has 
a  directed  edge  with  ‘weight’  c  to  node  Vj  iff  the  constraint  v-t  <  Vj  +c  is  in  <p.  It  is  not 
hard  to  see  that  p  is  satisfiable  iff  there  is  no  cycle  in  G  with  a  negative  accumulated 
weight.  Thus,  deciding  p  is  reduced  to  searching  the  graph  for  such  cycles.  Variations 
of  this  procedure  were  described,  for  example  in  [17],  and  are  implemented  in  theorem 
provers  such  as  Coq[2],  The  Bellman-Ford  algorithm  [8]  can  find  whether  there  is  a 
negative  cycle  in  such  a  graph  in  polynomial  time,  and  is  considered  as  the  standard  in 
solving  these  problems.  It  is  used,  for  example,  when  computing  Difference  Decision 
Diagrams  (DDD)  [14].  DDD’s  are  similar  to  BDDs,  but  instead  of  Boolean  variables, 
their  nodes  are  labeled  with  separation  predicates.  In  order  to  compute  whether  each 
path  in  the  DDD  leads  to  ‘0’  or  ‘1’,  the  Bellman-Ford  procedure  is  invoked  separately 
for  each  path. 

Most  theorem  provers  can  decide  the  more  general  problem  of  linear  arithmetic. 
Linear  arithmetic  permits  predicates  of  the  form  J]"=1  aivi  L  an+ 1  (the  coefficients 
ai  . . .  a„+ 1  are  constants).  They  usually  apply  variable  elimination  methods,  most  no¬ 
tably  the  Fourier-Motzkin  technique  [5],  which  is  used  in  PVS[16],  ICS,  IMPS[10]  and 
others.  Other  approaches  include  the  graph-theoretic  analysis  due  to  Shostak  [19],  the 
Simplex  method[9],  the  Sup-Inf  method[18],  and  more.  All  of  these  methods,  however, 
need  to  be  combined  with  case-splitting  in  order  to  handle  disjunctions2.  Normally  this 
is  the  bottleneck  of  the  decision  process,  since  the  number  of  sub-problems  that  need  to 
be  solved  is  worst  case  exponential.  One  may  think  of  case-splitting  as  a  two  steps  algo¬ 
rithm:  first,  the  formula  is  converted  to  Disjunctive  Normal  Form  (DNF);  second,  each 
clause  is  solved  separately.  Thus,  the  complexity  of  this  problem  is  dominated  by  the 
size  of  the  generated  DNF.  For  this  reason  modern  theorem  provers  try  to  refrain  from 

2  Note  that  even  if  the  formula  does  not  include  disjunctions  originally,  disjunctions  are  normally 
added  to  it  by  the  decision  procedure  when  reducing  uninterpreted  functions. 
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explicit  case-splitting.  They  apply  ‘lazy’  case-splitting  (splitting  only  when  encounter¬ 
ing  a  disjunction)  that  only  in  the  worst  case  generates  all  possible  sub-formulas  as 
described  above.  One  exception  to  the  need  for  case  splitting  in  the  presence  of  disjunc¬ 
tions  is  DDDs.  DDDs  do  not  require  explicit  case-splitting,  in  the  sense  that  the  DDD 
data  structure  allows  term  sharing.  Yet  the  number  of  sub-problems  that  are  solved  can 
still  be  exponential. 

Reducing  the  problem  to  deciding  a  propositional  formula  (SAT)  obviously  does  not 
avoid  the  potential  exponential  blow-up.  The  various  branching  algorithms  used  in  SAT 
solvers  can  also  be  seen  as  case-splitting.  But  there  is  a  difference  between  applying 
case-splitting  to  formulas  and  splitting  the  domain.  While  the  former  requires  an  invo¬ 
cation  of  a  (theory-specific)  procedure  for  deciding  each  case  considered,  the  second 
is  an  instantiation  of  the  formula  with  a  finite  number  of  assignments.  Thus,  the  latter 
amounts  to  checking  whether  all  clauses  are  satisfied  under  one  of  these  assignments. 

This  difference,  we  now  argue,  is  the  reason  for  the  major  performance  gap  between 
CNF  -  SAT  solvers  and  alternative  decision  procedures  that  have  the  same  theoretical 
complexity.  We  will  demonstrate  the  implications  of  this  difference  by  considering  three 
important  mechanisms  in  decision  procedures:  pruning ,  learning  and  guidance.  In  the 
discussion  that  follows,  we  refer  to  the  techniques  applied  in  the  Chaff  [15]  SAT  solver. 
Most  modern  SAT  solvers  work  according  to  similar  principles. 

-  Pruning.  Instantiation  in  SAT  solvers  is  done  by  following  a  binary  decision  tree, 
where  each  decision  corresponds  to  choosing  a  variable  and  assigning  it  a  Boolean 
value.  This  method  makes  it  very  easy  to  apply  pruning:  once  it  discovers  a  contra¬ 
dictory  partial  assignment  o,  it  backtracks,  and  consequently  all  assignments  that 
contain  a  are  pruned.  It  is  not  clear  whether  an  equivalent  or  other  pruning  tech¬ 
niques  can  be  applied  in  case-splitting  over  formulas,  other  than  stopping  when  a 
clause  is  evaluated  to  true  (or  false,  if  we  check  validity). 

-  Learning.  Every  time  a  conflict  (an  unsatisfied  clause)  is  encountered  by  Chaff,  the 
partial  assignment  that  led  to  this  conflict  is  recorded,  with  the  aim  of  preventing 
the  same  partial  assignment  from  being  repeated.  In  other  words,  all  assignments 
that  contain  a  ‘bad’  sub-assignment  that  was  encountered  in  the  past  are  pruned. 
Learning  is  applied  in  different  ways  in  other  decision  procedures  as  well.  For  ex¬ 
ample,  PVS  records  sub-goals  it  has  proven  and  adds  them  as  an  antecedent  to  yet 
unproven  sub-goals,  with  the  hope  it  will  simplify  their  proofs.  In  regard  to  separa¬ 
tion  theory,  we  are  not  aware  of  a  specific  learning  mechanism,  but  it’s  not  hard  to 
think  of  one.  Our  argument  in  this  case  is  therefore  not  that  learning  is  harder  or 
impossible  in  other  decision  procedures  -  rather  that  by  reducing  problems  to  SAT, 
one  benefits  from  the  existing  learning  techniques  that  were  already  developed  and 
implemented  over  the  years. 

-  Guidance.  By  ‘guidance’  we  mean  prioritizing  the  internal  steps  of  the  decision 
procedure.  For  example,  consider  the  formula  pi  V  (fi2,  where  tpi  is  unsatisfiable 
and  hard  to  solve,  and  <p>2  is  satisfiable  but  easy  to  solve.  If  the  clauses  are  solved 
from  left  to  right,  solving  the  above  formula  will  take  longer  than  solving  pi  V  pi . 
We  experimented  with  several  such  formulas  in  both  ICS  and  PVS,  and  found  that 
changing  the  order  of  expressions  can  have  a  significant  impact  on  performance, 
which  means  that  guidance  is  indeed  problematic  in  the  general  case. 
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The  success  of  guidance  depends  on  the  ability  to  efficiently  estimate  how  hard 
it  is  to  process  each  sub  formula  and/or  to  what  extent  it  will  simplify  the  rest  of  the 
proof.  Both  of  these  measures  are  easy  to  estimate  in  CNF-SAT  solving,  and  hard 
to  estimate  when  processing  more  general  sub  formulas.  Guidance  in  SAT  is  done 
when  choosing  the  next  variable  and  Boolean  value  in  each  level  in  the  decision 
tree.  There  are  many  heuristics  for  making  this  choice.  For  example:  choose  the 
variable  and  assignment  that  satisfies  the  largest  number  of  clauses.  Thus,  the  hard¬ 
ness  of  what  will  remain  to  prove  after  each  decision  is  estimated  by  the  number  of 
unsatisfied  clauses. 

Modern  theorem  pro  vers  normally  also  try  to  guide  the  proof.  The  SVC  theorem 
prover[3],  for  example,  orders  its  sub-expressions  according  to  a  recursive  defini¬ 
tion  of  ‘hardness’:  constants  are  the  simplest;  ‘add’  expressions  are  as  hard  as  their 
most  complex  child,  etc.  Evaluating  easier  expressions  first  results  on  average  in 
faster  decisions. 

Not  only  that  these  mechanisms  are  harder  to  integrate  in  the  alternative  procedures, 
they  become  almost  impossible  to  implement  in  the  presence  of  mixed  theories  (what 
can  be  learned  from  solving  a  sub-goal  with  e.g.  bit-vectors  that  will  speed  up  another 
sub-goal  with  linear  arithmetic,  even  if  both  refer  to  the  same  variables?).  This  is  why 
reducing  mixed  theories  to  a  common  theory  like  propositional  logic  makes  it  easier  to 
enjoy  the  potential  speed-up  gained  by  these  techniques.  Many  decidable  theories  that 
are  frequently  encountered  in  verification  have  known  efficient  reductions  to  proposi¬ 
tional  formulas.  Therefore  a  similar  reduction  from  separation  predicates  broadens  the 
logic  that  can  be  decided  by  solving  a  single  SAT  instance. 


3  A  graph  theoretic  approach 


Let  ip  be  a  formula  consisting  of  the  standard  propositional  connectives  and  predicates 
of  the  form  v ,  t>  Vj  +  c  and  V{  t>  c,  where  c  is  a  constant,  and  Vi,  Vj  are  variables  of  type 
real  (we  treat  integer  variables  in  Section  5).  We  decide  < p  in  three  steps,  as  described 
below.  A  summary  of  the  procedure  and  an  example  will  be  given  in  Section  3.4. 


3.1  Normalizing  p 

As  a  first  step,  we  normalize  p. 

1.  Rewrite  Vi  l>  c  as  Vi  t>  Vo  +  c? 

2.  Rewrite  equalities  as  conjunction  of  inequalities. 

3.  Rewrite  “<’  and  “<’  predicates  as  *>’  and  ‘>’,  e.g.,  rewrite  Vi  <  Vj  +  c  as  Vj  > 
Vi  -  c. 


3  vo  ^  ip  can  be  thought  of  as  a  special  variable  that  always  has  a  coefficient  ‘O'  (an  idea  adopted 
from  [19]). 
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3.2  Boolean  encoding  and  basic  graph  construction 

After  normalizing  p,  our  decision  procedure  abstracts  all  predicates  by  replacing  them 
with  new  Boolean  variables.  By  doing  so,  the  implicit  transitivity  constraints  of  these 
predicates  are  lost.  We  use  a  graph  theoretic  approach  to  represent  this  ‘lost  transitivity’ 
and,  in  the  next  step,  to  derive  a  set  of  constraints  that  compensate  for  this  loss. 

Let  G:f  ( V ,  E)  be  a  weighted  directed  multigraph,  where  every  edge  e  £  E  is  a  4- 
tuple  ( Vi,Vj,c ,  x )  defined  as  follows:  Vj  is  the  source  node,  Vj  is  the  target  node,  c  is  the 
weight,  and  x  €  {>,  >}  is  the  type  of  the  edge.  We  will  denote  by  s(e),t(e),w(e)  and 
x(e)  the  source,  target,  weight,  and  type  of  an  edge  e,  respectively.  We  will  also  define 
the  dual  edge  of  e,  denoted  e,  as  follows: 

1.  ife  =  (i,j,  c,  >),  then  e  =  ( j,i,-c,> ). 

2.  ife  =  (i,j,  c,  >),  then  e  =  ( j,i,-c,> ). 

Informally,  e  represents  the  complement  constraint  of  e.  Thus,e  =  e. 

We  encode  p  and  construct  Gv  as  follows: 

1 .  Boolean  encoding  and  basic  graph  construction 

(a)  Add  a  node  for  each  variable  in  p. 

(b)  Replace  each  predicate  of  the  form  Vi  >  Vj  +  c  with  a  Boolean  variable  eff , 
and  add  (vi,  Vj,  c,  >)  to  E. 

(c)  Replace  each  predicate  of  the  form  Vi  >  Vj  +  c  with  a  Boolean  variable  effj-, 
and  add  (vj,  Vj,  c,  >)  to  E. 

2.  Add  dual  edges. 

For  each  edge  e  €  E,  E  :=  E  U  e. 

We  denote  the  encoded  Boolean  formula  by  p'.  Since  every  edge  in  Gv  is  associated 
with  a  Boolean  variable  in  p'  (while  its  dual  is  associated  with  the  negation  of  this 
variable),  we  will  refer  to  edges  and  their  associated  variables  interchangeably  when 
the  meaning  is  clear  from  the  context. 

3.3  Identifying  the  transitivity  constraints 

The  transitivity  constraints  imposed  by  separation  predicates  can  be  inferred  from  pre¬ 
vious  work  on  this  logic  [17, 19].  Before  we  state  these  constraints  formally,  we  demon¬ 
strate  them  on  a  simple  cycle  of  size  2.  Let  pi  :  v±  l>i  V2  +  c±  and  p2  :  V2  >2  ft  +  C2 
be  two  predicates  in  p.  It  is  easy  to  see  that  if  C\  +  C2  >0  then  pi  A  p2  is  unsatisfiable. 
Additionally,  if  cl  +  c2  =  0  and  at  least  one  of  >1,  >2  is  equal  to  then  pi  A  p2  is 
unsatisfiable  as  well.  The  constraints  on  the  other  direction  can  be  inferred  by  applying 
the  above  constraints  to  the  duals  of  pi  and  p2:  if  cl  +  c2  <  0,  or  if  cl  +  c2  =  0  and  at 
least  one  of  >1,  >2  is  equal  to  *<’,  then  ->pl  A  -p>2  is  unsatisfiable. 

We  continue  by  formalizing  and  generalizing  these  constraints. 

Definition  1.  A  directed  path  of  length  m  from  Vi  to  Vj  is  a  list  of  edges  ei...em  s.t. 
s(ei)  =  Vi,  t(em)  =  Vj  and\/rEf1t(ei)  =  s(ej+i).  A  directed  path  is  called  simple  if 
no  node  is  repeated  in  the  path. 
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We  will  use  capital  letters  to  denote  directed  paths,  and  extend  the  notations  s(e ),  t(e) 
and  w(e)  to  paths,  as  follows.  Let  T  =  ei...em  be  a  directed  path.  Then  s(T)  =  s(ei), 
t(T)  =  t{em)  and  w(T)  =  w(ei )•  X(T)  is  defined  as  follows: 

f  >  ifV^1x(ei)  =  >’ 

x(T)  =  I  >  ifVZMet)  =  >’ 

V  ^  otherwise 

We  also  extend  the  notation  for  dual  edges  to  paths:  if  T  is  a  directed  path,  then  T  is  the 
directed  path  made  of  the  dual  edges  of  T. 

Definition  2.  A  Transitive  Sub-Graph  (TSG)  A  =  T  U  B  is  a  sub-graph  comprised 
of  two  directed  paths  T  and  B,  T  f1  B,  starting  and  ending  in  the  same  nodes,  i.e., 
s(T)  =  s(B)  and  t(T)  =  t(B).  A  is  called  simple  if  both  B  and  T  are  simple  and  the 
only  nodes  shared  by  T  and  B  are  s(T)(=  s(B))  and  t(T)(=  t(B)). 

The  transitivity  requirements  of  a  directed  cycle4  C  and  a  TSG  *4  are  presented  in  Fig.  1. 
These  requirements  can  be  inferred  from  previous  work  on  this  logic,  and  will  not  be 
formally  proved  here. 


2 '(C) 

Rules 

X(T) 

x{B] 

Rules 

h  : 

>’ 

R1,R2 

7T 

Rl’ 

R2’ 

h 

>' 

R3,R4 

1’2  : 

>' 

*>’ 

R3’ 

R4’ 

h  : 

else 

R2,R3 

I’s- 

else 

R2’ 

R3’ 

Rl  :  if  w(C)  >  0,  /\e. £C  e,  =  0 

Rl' 

:  if  w(T)  >  w(B).  Ae. eT  e<  ^\lej£B  ej 

R2  :  if  w(C)  <  0,  \/ej  ec  e»  =  1 

R2’ 

:  if  w(T)  <  w(B),  / \e.eBei  ->  \Je.eTej 

R3  :ifw(C)>0,Ae‘ece,:=0 

R3’ 

:  ifw(T)>w(B),  /\e,mej  -t-\fe.eBei 

R4  :ifW(C)<0,Ve’ece’'  =  1 

R4’ 

:  if  w(T)  <  w(B),  A e.eBei  ->  Vej£TeJ 

fa)  Cycles 

(b)  Transitive  sub-graphs 

Fig.  1.  Transitivity  requirements  of  cycles  (a)  and  transitive  sub-graphs  (b) 


Both  sets  of  rules  have  redundancy  due  to  the  dual  edges.  For  example,  each  cycle  C  has 
a  dual  cycle  C  with  an  opposite  direction  and  w(C )  =  —w(C).  Applying  the  four  rules 
to  both  cycles  will  yield  exactly  the  same  constraints.  We  can  therefore  consider  cycles 
in  one  direction  only.  Alternatively,  we  can  ignore  R3  and  R4,  since  the  first  two  rules 
yield  the  same  result  when  applied  to  the  dual  cycle.  Nevertheless  we  continue  with  the 
set  of  four  rules  for  ease  of  presentation. 

Definition  3.  A  cycle  C  (alternatively,  a  TSG  A)  is  satisfied  by  assignment  a,  denoted 
a  \=  C,  if  a  satisfies  its  corresponding  constraints  as  defined  in  Fig.  1. 

4  By  a  ‘directed  cycle’  we  mean  a  closed  directed  path  in  which  each  sub-cycle  is  iterated  once. 

It  is  obvious  that  iterations  over  cycles  do  not  add  transitivity  constraints. 
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We  will  denote  by  a(e)  the  Boolean  value  assigned  to  e  by  an  assignment  a.  We  will 
use  the  notation  a  C,  1  <  i  <  4,  to  express  the  fact  that  rule  R i  is  applied  to  C  and 
is  not  satisfied  by  a. 

Proposition  1.  Let  A  =  T  Li  B  and  C  =  T  U  B  be  a  TSG  and  a  directed  cycle  in  Gv, 
respectively.  Then  a  |=  A  iff  a  |=  C. 

Proof  Each  rule  has  three  parts:  the  condition  under  which  it  is  applied  (the  values 
of  x(C),x(T )  and  x{B)),  the  antecedent  of  the  rule  (the  values  of  w(C),w(T)  and 
w(B))  and  the  consequence  of  the  rule  (the  values  of  a(C),a(T)  and  a(B)).  We  first 
investigate  the  relationships  between  A  and  C  with  respect  to  these  three  elements: 

1.  (Applied  rule)  x(C)  ='>'•<->  x(T)  ='>'  A x(B)  Similarly,  x(C) 

x(T)  —>'  A x(B)  Thus,  for  k  =  1...3,  l'k  applies  to  A  iff  lk  applies  to  C. 

Consequently,  rule  Ri'  is  applied  to  A  iff  rule  Ri  is  applied  to  C. 

2.  (Boolean  value  of  the  rule’s  antecedent)  Let  txi  denote  one  of  the  four  inequality 
signs.  w(T )  txi  w(B)  ->  w(T)  +  w(B)  txi  0  — >  w(C)  >c  0.  The  equivalence  of  the 
antecedent  of  each  rule  and  its  primed  version  is  implied. 

3.  (Boolean  value  of  the  rule’s  consequence  under  a)  By  definition  of  dual  edges, 

VejeB  e3  =  ^  A ejEB  e3  and  A ejEB  ei  =  ^  VejGS  ei  ■  BY  definition  of  A  and  C, 

Aejec  ej  =  A ejeTe3  A  A ejEBe3  and  Ve3  ec  e3  =  \JejeTe3  V  \le^Be3-  The 
equivalence  of  the  Boolean  value  under  a  of  each  rule  and  its  primed  version  is 

implied. 

Given  these  relationships: 

(if)  Let  R i'  be  a  rule  that  is  not  satisfied  by  a  in  respect  to  A,  i.e.  a  A.  The  cor¬ 
responding  rule  R i  is  checked  for  C  (item  1).  The  Boolean  values  of  both  the  antecedent 
and  consequence  of  R i  are  the  same  as  RT’s  (items  2  and  3),  and  therefore  a  does  not 
satisfy  R i  as  well.  Thus,  a  C. 

( only  if)  A  similar  argument  to  the  if  case.  Swap  R  i  with  Ri'  and  A  with  C.  □ 

Example  1.  We  demonstrate  the  duality  between  TSG’ s  and  cycles  with  a  cycle  C  where 
x{C)  =‘>’  and  w(C)  >  0  (Lig.  2(a)).  Assume  a  assigns  1  to  all  of  C  edges,  i.e., 
a(C)  =  1.  Consequently,  a  ^3  C. 


Fig.  2.  A  cycle  (a)  and  a  possible  dual  transitive  sub-graph  (b).  Solid  edges  represent  strict  in¬ 
equality  (>)  while  dashed  edges  represent  weak  inequalities  (“>’). 
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We  construct  A  from  C  by  substituting  e.g.,  e 3  with  its  dual  (Fig.  2(b)).  A  is  a  TSG  made 
of  the  two  directed  paths  T  =  e 4,  ei,e2  and  B  =  e 3,  that  satisfy  x(T)  =‘>’,  x(B )  = 
‘>’  and  w(T)  >  w(B)  (because  w(B)  =  —w(e3)).  According  to  Fig.  1(b),  we  apply 
R3’  and  R4\  But  since  a(ef)  =  ~^a{ez)  =  0,  R3’  is  not  satisfied.  Thus,  a  ^3/  A.  □ 

Proposition  1  implies  that  it  is  sufficient  to  concentrate  on  either  TSG’s  or  cycles.  In 
the  rest  of  this  paper  we  will  concentrate  on  cycles,  since  their  symmetry  makes  them 
easier  to  handle. 

The  following  proposition  will  allow  us  to  concentrate  only  on  simple  cycles. 

Proposition  2.  Let  C  be  a  non  simple  cycle  in  Gv,  and  let  a  be  an  assignment  to  C 
edges.  If  a  C  then  there  exists  a  sub-graph  of  C  that  forms  a  simple  cycle  C1  s.t. 
a  £  C'. 

Proof  Let  C\...Ck,k  >  1  be  the  simple  cycles  in  C  (it  is  possible  that  some  edges  are 
shared  by  these  cycles).  We  distinguish  between  several  cases: 

1.  If  x(C)  —>'  then  for  all  1  <  i  <  k,  x{cf)  —>'  and  therefore  rules  R1  and  R2 
apply.  If  a  ^=1  C  then  «;(C)  >  Oanda(C)  =  a(ci)  =  ...  =  a(cu)  =  1.  At  least  one 
of  these  cycles,  say  Cj ,  has  a  positive  weight,  i.e.  w(cj )  >  0.  Since  x(cj )  —  and 
a(cj )  =  lthena  |^=i  Cj .  For  R2,  the  argument  is  similar:  if  ct  ^=2  Cthenuj(C)  <  0 
and  a(C )  =  ct(ci)  =  ...  =  a(c^)  =  0.  There  exists  a  cycle  Cj  s.t.  w(cj )  <  0,  and 
since  x{cj)  —  >'  and  a(cj)  =  0  then  a  ^=2  Cj- 

2.  Else,  if  x{C)  —  ,  the  proof  is  similar  to  the  previous  case:  swap  R1  with  R3  and 

R2  with  R4  and  change  the  inequalities  accordingly:  swap  ’>’  with  >  and  <  with 
’<’. 

3.  Else,  x(C)  ='~'.  We  again  split  the  proof: 

(a)  If  a  C.  then  w(C)  <  0  and  a(C )  =  a(ci)  =  ...  =  ce(cfc)  =  0.  If  w(C )  = 
w(c  1)  =  ...  =  w(cfc)  =  0,  we  need  to  show  that  R2  is  applied  to  at  least 
one  of  them.  But  since  x(C )  ='~'  then  for  at  least  one  of  these  cycles,  say  Cj, 
x(cj )  f>',  and  therefore  R2  is  applied  to  Cj.  Thus,  a  ^2  Cj ■  Else,  there  exists 
a  cycle  a  s.t.  w{cf)  <  0.  Thus  a  ^=2  Cj  or  a  ^=4  c*,  depending  on  x{cf). 

(b)  If  a  ^=3  C,  then  w(C )  >  0  and  a(C )  =  a(ci)  =  ...  =  a(ck )  =  1.  If  w(C)  = 
w(ci)  =  ...  =  w(ck )  =  0,  we  need  to  show  that  R3  is  applied  to  at  least  one  of 
them.  But  since  x(C)  ='~'  then  for  at  least  one  of  them,  say  Cj,  x(cj )  f>' , 
and  therefore  R3  is  applied  to  Cj.  Thus,  a  ^=3  Cj.  Else,  there  exists  a  cycle  Cj 
s.t.  w(ci)  >  0.  Thus  a  ^=1  Cj  or  a  ^=3  Cj,  depending  on  x{cf). 

We  have  showed  that  in  all  cases  if  C  is  not  satisfied  by  a,  then  there  exists  a  simple 
cycle,  which  is  a  sub-graph  of  C,  that  is  not  satisfied  by  a.  □ 

Thus,  our  decision  procedure  adds  constraints  to  ip'  for  every  simple  cycle  in  Gv  ac¬ 
cording  to  Fig.  1(a). 

3.4  A  decision  procedure  and  its  complexity 

To  summarize  this  section,  our  decision  procedure  consists  of  three  stages: 


1.  Normalizing  p.  After  this  step  the  formula  contains  only  the  ‘>’  and  *>’  signs. 

2.  Deriving  p'  from  p  by  encoding  (p's  predicates  with  new  Boolean  variables.  Each 
predicate  adds  an  edge  and  its  dual  to  the  inequality  graph  Gv,  as  explained  in 
Section  3.2 

3.  Adding  transitivity  constraints  for  every  simple  cycle  in  Gp  according  to  Fig.  1(a). 

We  delay  the  correctness  proof  (soundness  and  completeness)  to  Section  4.2,  after  we 
introduce  some  changes  to  this  basic  procedure. 

Example  2.  Consider  the  formula 

p  :  x  >  y  —  1  V  -i (z  >  y  —  2  A  x  >  z) 


After  step  2  we  have 


p  :  e. 


-i,> 

x,y 


V 


<ez, 


—  2,> 


A 


o0,>x 


(for  simplicity  we  refer  to  weak  inequality  predicates  by  a  negation  of  their  duals). 
Together  with  the  dual  edges,  Gv  contains  one  cycle  with  weight  1  consisting  of  the 
vertices  x,  y,  z ,  and  the  dual  of  this  cycle.  Considering  the  former,  according  to  R3  we 
add  to  p'  the  constraint 


-ie 


-i,> 

x,y 


V  — 1(— ie 


— 2,> 
z,y 


)  V  -ie 


o,> 

Z,X 


The  constraint  on  the  dual  cycle  is  equivalent  and  is  therefore  not  computed.  □ 

This  example  demonstrates  that  the  suggested  procedure  may  generate  redundant  con¬ 
straints  (yet  none  of  them  makes  the  procedure  incomplete).  There  is  no  reason  to  con¬ 
sider  cycles  that  their  edges  are  not  conjoined  in  the  DNF  of  p.  In  [22]  we  prove  this 
observation  and  explain  how  the  above  procedure  can  be  combined  with  conjunctions 
matrices  in  order  to  avoid  redundant  constraints.  The  conjunctions  matrix  of  p  is  a 
\E\  x  \E\  matrix,  computable  in  polynomial  time,  that  state  for  each  pair  of  predicates 
in  p  whether  they  would  appear  in  the  same  clause  if  the  formula  was  transformed  to 
DNF.  This  information  is  sufficient  for  concluding  whether  a  given  cycle  ever  appears 
as  a  whole  in  a  single  DNF  clause.  Only  if  the  answer  is  yes,  we  add  the  associated  con¬ 
straint.  We  refer  the  reader  to  the  above  reference  for  more  details  on  this  improvement 
(note  that  the  experiments  in  Section  6  did  not  include  this  optimization). 


Complexity.  The  complexity  of  enumerating  the  constraints  for  all  simple  cycles  is  lin¬ 
ear  in  the  number  of  cycles.  There  may  be  an  exponential  number  of  such  cycles.  Thus, 
while  the  number  of  variables  is  fixed,  the  number  of  constraints  can  be  exponential 
(yet  bounded  by  2^).  SAT  is  exponential  in  the  number  of  variables  and  linear  in  the 
number  of  constraints.  Therefore  the  complexity  of  the  SAT  checking  stage  in  our  pro¬ 
cedure  is  tightly  bounded  by  0((2l-E^)2)  =  0(221-E1),  which  is  similar  to  the  complexity 
of  the  Bellman-Ford  procedure  combined  with  case-splitting.  The  only  argument  in  fa¬ 
vor  of  our  method  is  that  in  practice  SAT  solvers  are  less  sensitive  to  the  number  of 
variables,  and  are  more  affected  by  the  connectivity  between  them.  The  experiments 
detailed  in  Section  6  proves  that  this  observation  applies  at  least  to  the  set  of  examples 


9 


we  tried.  The  SAT  phase  was  never  the  bottleneck  in  our  experiments;  rather  it  was  the 
generation  of  the  formula. 

Thus,  the  more  interesting  question  is  whether  the  cycle  enumeration  phase  is  easier 
than  case  splitting,  as  both  are  exponential  in  \E\.  The  answer  is  that  normally  there  are 
significantly  more  clauses  to  derive  and  check  than  there  are  cycles  to  enumerate.  There 
are  two  reasons  for  this:  first,  the  same  cycles  can  be  repeated  in  many  clauses;  second, 
in  satisfiable  formulas  many  clauses  do  not  contain  a  cycle  at  all. 

4  Compact  representation  of  transitivity  constraints 

Explicit  enumeration  of  cycles  will  result  in  2"  constraints  in  the  case  of  Fig.  3(a), 
regardless  of  the  weights  on  the  edges.  In  many  cases  this  worst  case  can  be  avoided 
by  adding  more  edges  to  the  graph.  The  general  idea  is  to  project  the  information  that 
is  contained  in  a  directed  path  (i.e.,  the  accumulated  weight  and  type  of  edges  in  the 
path)  to  a  single  edge.  If  there  are  two  or  more  paths  that  bear  the  same  information,  the 
representation  will  be  more  compact.  In  Section  4.2  we  will  elaborate  on  the  implication 
of  this  change  on  the  complexity  of  the  procedure. 

4.1  From  cycles  to  triangles 

The  main  tool  that  we  will  use  for  deriving  the  compact  representation  is  chordal 
graphs.  Chordal  graphs  (a.k.a.  triangulated  graphs)  are  normally  defined  in  the  con¬ 
text  of  undirected,  unweighted  graphs.  A  chordal  graph  in  that  context  is  a  graph  in 
which  all  cycles  of  size  4  or  more  contain  an  internal  chord  (an  edge  between  non  ad¬ 
jacent  vertices).  Chordal  graphs  were  used  in  [6]  to  represent  transitivity  constraints 
(of  equality,  in  their  case)  in  a  concise  way.  We  will  use  them  for  the  same  purpose. 
Yet,  there  are  several  aspects  in  which  G:p  is  different  from  the  graph  considered  in  the 
standard  definition:  G :p  is  a  directed  multigraph  with  two  types  of  edges,  the  edges  are 
weighted  and  each  one  of  them  has  a  dual. 

Definition  4.  Let  C  be  a  simple  cycle  in  Gv.  Let  v.,  and  Vj  be  two  non  adjacent  nodes 
in  C.  We  denote  the  path  from  Vi  to  Vj  by  X);  j.  A  chord  e  from  Vi  to  Vj  is  called  Tij- 
accumulating  if  it  satisfies  these  two  requirements: 

1.  w{e)  =  w(Tij) 

2.  x(e)  =  ‘>’  if  x(Tij)  =  ‘>’ or  if  x(Tij)  =  and  x(Tjti)  =  Otherwise 
x(e)  =‘>’. 

This  definition  refers  to  the  case  of  one  path  between  i  and  j.  and  can  be  easily  extended 
if  there  is  more  than  one  such  path.  Note  that  the  definition  of  x(e)  relies  on  x(Tjti), 
which  is  based  on  the  edges  of  the  ‘other  side’  of  the  cycle.  Since  there  can  be  more  than 
one  path  Tjj,  and  each  one  can  have  different  types  of  edges,  making  the  graph  chordal 
may  require  the  addition  of  two  edges  between  i  and  j ,  corresponding  to  the  two  types 
of  inequality  signs.  As  will  be  shown  in  Section  4.2,  our  decision  procedure  refrains 
from  explicitly  checking  all  the  paths  Tj.j.  Rather  it  adds  these  two  edges  automatically 
whenx(Tjj)  =‘~’. 

Definition  4  gives  rise  to  the  following  observation,  which  we  state  without  proof: 
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Fig.  3.  (a)  In  a  closed  n-diamonds  shape  there  are  2n  simple  cycles,  (b)  The  edge  e  accumulates 
the  path  Tjj  =  (ei,e2). 


Proposition  3.  Let  e  be  a  Ti  j -accumulating  chord  in  a  simple  cycle  C,  and  let  C  = 
(C  U  e)  \  Tij.  The  following  equivalencies  hold:  x(C)  =  x(C')  and  w(C )  =  w(C). 

Example  3.  In  Fig.  3(b),  each  edge  is  marked  with  its  identifier  e,;  and  weight  c*.  By 
Definition  4,  e  is  a  Tjj-accumulating  chord.  Let  C1  =  (C  U  e)  \  Tij  =  (e,  e 3,  64).  Then 
as  observed  in  Proposition  3,  x(C')  =  x(C)  =  ‘~’  and  w(C')  =  w(C )  =  £f=1Ci.  □ 

Definition  5.  Gv  is  called  chordal  if  all  simple  cycles  in  Gv  of  size  greater  or  equal  to 
4  contain  an  accumulating  chord. 

We  leave  the  question  of  how  to  make  Gv  chordal  to  the  next  section.  We  first  prove 
the  following  proposition: 

Proposition  4.  Let  C  be  a  simple  cycle  in  a  chordal  graph  Gv,  and  let  a  be  an  assign¬ 
ment  to  the  edges  ofC.  If  a  \f=  C  then  there  exists  a  simple  cycle  C  of  size  3  in  Gv  s.t. 
a  C'. 

Proof  Let  C  be  a  simple  cycle  in  Gv  of  size  greater  than  3.  Since  G,f  is  chordal,  it 
contains  an  accumulating  chord  e  from  e.g.  tg  to  Vj. 

We  denote  the  path  from  Vi  to  Vj  by  Ttj  and  the  cycle  through  e  by  C±,  i.e.  C\  = 
(C  U  e)  \  Ti  j  (in  Fig.  3(b),  Ci  =  (e,  ef)).  Recall  that  a  \f=  C  only  if  a(C)  _L.  We 

now  consider  two  cases: 

1.  a(e)  =  a{C). 

According  to  Proposition  3,  x(C)  =  x(C  1)  and  w(C )  =  w(Ci).  Thus,  the  same 
rules  apply  to  C  and  C\,  and  the  antecedents  of  the  rules  are  evaluated  the  same. 
Since  we  assumed  that  a(e )  =  a(C),  then  the  consequence  of  all  rules  are  also 
evaluated  equally.  Thus,  a  ^ *  C  iff  a  Y=i  C\ . 

2.  a(e)  =  1  —  a(C). 

Consider  the  cycle  C2  =  Ti  j  U  e  (in  Fig.  3(b),  C2  =  (ei,e2,e)).  By  definition 
of  e  and  e,  xiC-f  ='~'  and  w(C-2)  =  0.  Thus,  both  R2  and  R3  are  applied,  and 
the  antecedent  of  both  rules  is  true,  which  implies  that  both  of  their  consequences 
should  be  true.  By  definition  of  dual  edges,  the  following  holds:  a(Tij)  =  a(C )  = 
1  —  a(e )  =  a(e).  Thus,  a  assigns  T,;J  and  e  the  same  Boolean  value,  and  therefore 
0.(62)  is  either  0  or  1.  In  the  first  case  a  ^=2  C2.  and  in  the  second  a  ^=3  C2. 
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In  both  cases  we  found  a  cycle  that  is  not  satisfied  by  a  and  is  smaller  than  C.  If  either 
C\  or  C2  is  of  size  3  or  less,  we  assign  it  to  C  and  we  are  done.  Otherwise,  we  apply 
this  proof  recursively  with  either  C\  or  C-i-  Since  both  are  smaller  than  C,  termination  is 
guaranteed.  □ 

4.2  The  enhanced  decision  procedure  and  its  complexity 

Based  on  the  above  results,  we  change  the  basic  decision  procedure  of  Section  3.  We 
add  a  stage  for  making  the  graph  chordal,  and  restrict  the  constraints  addition  phase  to 
cycles  of  size  3  or  less: 

1.  In  the  graph  construction  stage  of  Section  3.2,  we  add  a  third  step  for  making  the 
graph  chordal: 

3.  Make  the  graph  chordal. 

While  V  f  0 

(a)  Choose  an  unmarked  vertex  i  €  V  and  mark  it. 

(b)  For  each  pair  of  edges  (j.  i,  a,  Xi),  ( i ,  k,  02,^2)  €  E,  where  j  and  k  are 
unmarked  vertices  and  j  /  k: 

•  Add  ( j ,  k,  Ci  +  c-2-  x'i)  and  its  dual  to  E. 

•  If  xl  7^  x2 ,  add  (j,  k,  Ci  +  02,^2)  and  its  dual  to  E. 

2.  Rather  than  enumerating  constraints  for  all  simple  cycles,  as  explained  in  Sec¬ 
tion  3.3,  we  only  concentrate  on  cycles  of  size  2  and  3. 

Various  heuristics  can  be  used  for  deciding  the  order  in  which  vertices  are  chosen  in  step 
3(a).  Our  implementation  follows  a  greedy  criterion:  it  removes  the  vertex  that  results 
in  the  minimum  number  of  added  edges. 

Proposition  5.  The  graph  Gv,  as  constructed  in  step  3,  is  chordal. 

Proof.  Falsely  assume  that  there  exists  a  simple  cycle  C  =  (ei...eTO),  m  >  3,  that  does 
not  contain  an  accumulating  chord.  Let  Vt,  0  <  t  <  m.  denote  the  first  node  in  C  that 
was  marked  in  step  3(a). 

Let  et  be  an  edge  from  Vt-i  to  vt  and  et+i  be  an  edge  from  ut  to  i>t+i1 2 * * 5.  Using  the 
notation  of  Definition  4,  =  (ej,  et+ 1).  We  split  the  discussion  to  two  cases: 

1.  if  x(et )  =  x{et+ 1)  then  x(Tt_  1^+1)  jd and  according  to  step  3(b)  we  add 

an  edge  e  =  vt+i,  w(et)  +  w(et+i),x(Tt_i}t+i))  to  Gv.  e  satisfies  both 

requirements  fora  Tt-\tt+i -accumulating  chord  :  w(e)  =  w(Tt- i,t+i)  and  x(e)  = 
x(Tt~ i,t+i)  (since  x(Tt- i,t+i)  the  latter  is  equivalent  to  the  requirement  in 
the  definition). 

2.  Else,  we  add  the  two  edges  ei  =  (vt-i,  itt+i,  w{ef)  +  w{et+ 1)  /  >')  and  e2  = 

(vt-i,  Vt+i,  w(et)+w(et+i),'  >').  Both  satisfy  the  first  requirement  for 
accumulating  chord:  w(e  1)  =  w(e2)  =  w(fTt- i,t+i);  one  of  them  satisfies  the  sec¬ 

ond  requirement  (depending  on  the  value  of  x(T)+ i5*_i )).  Thus,  one  of  these  edges 
is  a  -accumulating  chord. 

5  If  t.  =  1  or  t  =  m  we  change  the  indices  accordingly 
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Thus,  in  all  cases  C  contains  an  accumulating  chord,  which  contradicts  our  assumption. 
Thus,  Gv  is  chordal.  □ 


We  now  have  all  the  necessary  components  for  proving  the  soundness  and  the  com¬ 
pleteness  of  this  procedure: 

Proposition  6.  p  is  satisfiable  if  and  only  if  p'  is  satisfiable. 

Proof,  (if)  Fig.  1(a)  states  the  transitivity  constraints  that  are  lost  due  to  the  abstraction 
of  the  separation  predicates.  According  to  Proposition  2,  every  assignment  that  violates 
one  of  these  constraints  in  the  abstracted  formula  p' ,  also  violates  a  constraint  on  a 
simple  cycle  in  p' .  Proposition  5  assures  us  that  Gv  is  chordal,  and  according  to  Propo¬ 
sition  4,  in  a  chordal  graph  transitivity  of  simple  cycles  is  guaranteed  by  preserving 
transitivity  of  cycles  whose  size  is  less  or  equal  to  three.  Since  we  add  the  constraints 
of  Fig.  1(a)  for  every  cycle  of  size  less  or  equal  to  three,  p'  retains  the  transitivity  of 
p.  Thus,  p  is  satisfiable  if  p'  is  satisfiable.  (only  if)  Encoding  each  predicate  with  a 
new  Boolean  variable  is  conservative.  The  added  constraints  are  exactly  those  that  are 
imposed  by  transitivity  of  the  inequality  signs.  Thus,  p  is  satisfiable  only  if  p'  is  satis¬ 
fiable.  □ 


Complexity.  In  the  worst  case,  the  process  of  making  the  graph  chordal  can  add  an 
exponential  number  of  edges.  Consider  the  following  example  that  demonstrates  this 
worst-case  behavior. 

Example  4.  Consider  the  graph  in  Figure  4.  It  is  cyclic  on  n  vertices  v±,V2,  ■  ■  ■  ,vn. 
There  are  n  edges  going  from  Vi  to  Vi+i  for  1  <  i  <  n  —  1  and  also  from  vn  to  Vi  to 
close  the  cycles.  Thus,  we  see  that  there  are  nn  simple  cycles  in  this  graph,  and  so  the 
cycle  enumeration  based  technique  has  exponential  complexity. 

However,  the  chordal  graph  based  technique  will  also  demonstrate  exponential  be¬ 
havior  on  this  example.  The  weights  on  the  edges  are  chosen  as  follows: 

1.  For  1  <  i  <  n  —  1,  the  weights  on  edges  going  from  Vi  to  Vi+i  are  0,  n*-1, 2 n*_1, 
. . . ,  (n  —  l)n*_1. 

2.  The  weights  on  edges  going  from  vn  to  V\  are  0,  nn_1, 2 nn~1, . . . ,  (n  —  1  )nn~1 . 

We  can  see  that  no  matter  where  we  start  adding  chords,  we  will  end  up  adding  one 
chord  for  every  weight  between  0  and  nn  —  1.  Thus,  we  will  end  up  adding  n"  chords. 

□ 

Combining  the  worst-case  possibility  of  an  exponential  number  of  edges  with  the 
complexity  of  SAT,  the  procedure  appears  to  be  double  exponential.  However,  notice 
that  the  transitivity  constraints  generated  from  the  chordal  graph  are  Horn  clauses. 
Therefore,  given  an  assignment  to  the  Boolean  encoding  of  the  original  formula,  the 
transitivity  constraints  are  implied  in  linear  time.  Hence,  the  SAT  solver  can  be  re¬ 
stricted  to  case-split  only  on  the  Boolean  variables  encoding  the  original  set  of  pred¬ 
icates,  and  this  results  in  SAT  run-time  that  is  exponential  in  the  number  of  clauses 
and  linear  in  the  number  of  transitivity  constraints.  Therefore,  the  overall  procedure  is 
exponential  in  the  number  of  original  predicates  (original  edges  in  the  constraint  graph). 
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Fig.  4.  Graph  that  results  in  an  exponential  number  of  chordal  edges  being  added. 


Also,  in  many  cases,  the  chordal  method  can  reduce  complexity:  consider,  for  ex¬ 
ample,  a  graph  similar  to  the  one  in  Fig.  3(a),  where  all  edges  are  of  the  same  type.  If 
all  the  top  edges  have  a  uniform  weight  ci  and  all  the  bottom  edges  have  a  different 
uniform  weight  C2,  it  can  be  shown  that  the  number  of  added  edges,  and  hence  the  num¬ 
ber  of  constraints,  is  quadratic  in  n.  Alternatively,  if  all  the  diamonds  are  ‘balanced’, 
i.e.,  the  accumulated  weight  of  the  top  and  bottom  paths  of  each  diamond  are  equal, 
the  number  of  added  edges  is  linear  in  n.  The  second  example  includes  the  frequently 
encountered  case  in  which  all  weights  are  equal  to  0.  Thus,  in  both  cases  the  size  of  the 
formula  and  the  complexity  of  generating  it  is  smaller  than  in  the  explicit  enumeration 
method  of  Section  3. 


5  Integer  domains 

In  our  discussion  so  far  we  assumed  that  all  variables  in  the  formula  are  of  type  real. 
We  now  extend  our  analysis  to  integer  separation  predicates,  i.e.,  predicates  of  the  form 
Vi  t>  Vj  +  c,  where  Vi  and  vt  are  declared  as  integers  (predicates  involving  both  types 
of  variables  are  assumed  to  be  forbidden).  We  add  a  preprocessing  stage  right  after  tp  is 
normalized: 

1 .  Transform  <p  to  Negation  Normal  Form  (NNF),  i.e.,  negations  are  allowed  only  over 
atomic  predicates,  and  eliminate  negations  by  reversing  inequality  signs6. 

6  There  is  no  need  to  actually  transform  the  formula.  It  is  sufficient  to  predict  what  would  be  the 
inequality  sign  of  each  predicate  if  the  formula  was  transformed  to  this  form.  This  can  be  done 
simply  by  counting  the  number  of  negations  nesting  each  predicate. 
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2.  Replace  all  integer  separation  predicates  of  the  form  Vi  t>  Vj  +  c  where  c  is  not  an 
integer  with  Vi  >  Vj  +  [c] . 

3.  Replace  each  integer  predicate  of  the  form  Vi  >  Vj  +  c  in  p  by  the  predicate 
Vi  >  Vj  +  c  +  1. 

The  procedure  now  continues  as  before,  assuming  all  variables  are  of  type  real. 

Example  5.  Consider  the  unsatisfiable  formula  p  :  x  >  y  +  1.2  A~<(y  <=  x  —  2)  where 
x  and  y  are  integers.  After  the  preprocessing  step  p  :  x>  y  +  2  A  y  >  x  —  1.  □ 

We  denote  by  p1  the  normalized  combination  of  integer  separation  predicates  (i.e.,  after 
step  1).  It  is  obvious  that  p1  is  logically  equivalent  to  the  original  formula  p.  We  denote 
by  pR  the  result  of  applying  steps  2  and  3  to  p1 .  We  now  need  to  prove  the  following 
proposition: 

Proposition  7.  p1  is  satis  fable  iff  pR  is  satis  fable. 

We  prove  Proposition  7  in  two  steps,  corresponding  to  the  last  two  steps  of  the  prepro¬ 
cessing  stage. 

Lemma  1.  Let  Vi  t >  Vj  +  c  be  an  integer  separation  predicate  in  p1  where  c  is  non¬ 
integer.  Derive  p[from  p  by  replacing  this  predicate  with  Vi  >  Vj  +  [c].  Then  for  every 
assignment  a,  a  |=  p1  iff  a  |=  p[. 

Proof.  Since  there  are  no  negations  in  p1  and  p[,  it  is  sufficient  to  prove  that  if  a 
predicate  is  satisfied  in  one  formula  it  can  be  satisfied  in  the  other. 

(if)  Suppose  Vi  >Vj  +c  is  evaluated  to  true  under  a.  We  can  rewrite  this  as  Vi  —Vj\>c. 
The  LHS  is  integral  while  the  RHS  is  non-integral.  Therefore  clearly  i \  —  Vj  >  |"c]  is 
also  true  under  a.  Thus  a  |=  p[ .  ( only  if)  Trivial.  □ 

Applying  this  proof  inductively  on  the  predicates  in  p1  proves  the  correctness  of 
the  first  step.  We  denote  the  formula  resulting  from  the  first  step  as  p[ . 

Lemma  2.  Let  p[  be  a  normalized  combination  of  integer  separation  predicates  where 
all  constants  are  integers,  and  let  pR  be  the  result  of  applying  the  second  step  in  the 
preprocessing  stage  to  p[.  Then  p[  is  satisfiable  iff  pR  is  satisfiable. 

Proof.  Since  there  are  no  negations  in  both  formulas,  it  is  sufficient  to  prove  that  all 
predicates  in  one  formula  can  be  satisfied  in  the  other. 

(if)  Let  a  be  an  (integer)  assignment  s.t.  a  |=  p[ ,  and  let  P  be  the  set  of  predicates 
in  p[  of  the  form  Vi  >  Vj  +  c  that  are  satisfied  by  a.  Since  Vi  and  Vj  are  integers,  then 
clearly  Vi  >  Vj  +  c  +  1  is  satisfied  by  a.  Thus,  a  |=  pR. 

(only  if)  Let  a  be  an  assignment  s.t.  a  |=  pR.  Let  vR...vR  be  the  real  values  assigned 
by  a  to  v\...vn,  the  variables  in  pR.  Also,  let  P  be  the  set  of  predicates  in  pR  that 

are  satisfied  by  a.  Define  vf  =  [vR\  for  1  <  t  <  n.  Note  that  by  definition,  0  < 

vR  —  v{  <1  for  all  1  <  t  <  n.  We  define  the  assignment  a1  as  follows:  i y  =  vJt  for 
1  <  t  <  n.  We  now  show  that  a1  satisfies  all  the  predicates  in  P.  Note  that  there  are 
no  strict  inequalities  in  P.  Let  Pi  '■  Vi  >  Vj  +  c  be  a  predicate  in  P  that  was  obtained 

by  substituting  out  a  predicate  p[  :  Vi  >  Vj  +  c  —  1  in  p[.  Since  pi  is  satisfied  by  a. 
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vf'  >  vj1  +  c.  Using  the  possible  range  for  vj1  —  vj,  we  get  vj  >  vj1  —  1  >  +  c—  1  > 

vj  +c—l,  which  implies  that  vj  >  vj  +  c  —  1.  Now,  let  P2  :  >  Vj  +  c  be  a  predicate 

in  P  that  occured  in  <p{.  We  see  that  vj  +  1  >  vj1  >  vj1  +  c  >  vj  +  c,  which  implies 
that  vj  >  vj  +  c  —  1.  But  since  the  RHS  is  integer,  then  vj  >  vj  +  c.  Thus,  both  types 
of  predicates  are  satisfied  under  a1 .  We  conclude  that  a1  |=  ipj,  hence  ip{  is  satisfiable. 

□ 

□ 


6  Experimental  results 

To  test  whether  checking  the  encoded  propositional  formula  ip'  is  indeed  easier  than 
checking  the  original  formula  ip,  we  generated  a  number  of  sample  formulas  and  checked 
them  before  and  after  the  encoding.  We  checked  the  original  formulas  with  the  ICS  the¬ 
orem  prover,  and  checked  the  encoded  formula  <p'  with  the  SAT  solver  Chaff  [15], 

First,  we  generated  formulas  that  have  the  ‘diamond’  structure  of  Fig.  3(a),  with  D 
conjoined  diamonds.  Although  artificial  examples  like  this  one  are  not  necessarily  re¬ 
alistic,  they  are  useful  for  checking  the  decision  procedure  under  controlled  conditions. 
Each  diamond  had  the  following  properties:  the  top  and  bottom  paths  have  S  conjoined 
edges  each;  the  top  and  bottom  paths  are  disjointed;  the  edges  in  the  top  path  represent 
strict  inequalities,  while  the  edges  in  the  bottom  path  represent  weak  inequalities.  Thus, 
there  are  2D  simple  conjoined  cycles,  each  of  size  (D  ■  S  +  1). 

Example  6.  The  formula  below  represents  the  diamond  structure  that  we  used  in  our 
benchmark  for  S  =  2.  For  better  readability,  we  use  the  notation  of  edges  rather  than 
the  one  for  their  associated  Boolean  variables.  We  denote  by  tj(bj)  the  jth  node  in  the 
top  (bottom)  path  of  the  ith  diamond.  Also,  for  simplicity  we  chose  a  uniform  weight 
c,  which  in  practice  varied  as  we  explain  below. 

/\f=1  {{Vi,  t] ,  c,  >)  A  [t] ,  vi+i ,  c,  >)  V  (Vi,  b\ ,  c,  >)  A  ( b 1 ,  vi+i ,  c,  >))  A  (vi+i ,vi,c,>) 

□ 

By  adjusting  the  weights  of  each  edge,  we  were  able  to  control  the  difficulty  of  the 
problem:  first,  we  guaranteed  that  there  is  only  one  satisfying  assignment  to  the  formula, 
which  makes  it  more  difficult  to  solve  (e.g.,  in  Example  6,  if  we  assign  c  =  — 1  for  all 
top  edges,  and  c  =  (D  —  1)  for  all  bottom  edges,  and  c  =  S  ■  D  —  1  for  the  last, 
closing  edge,  only  the  path  through  the  top  edges  is  satisfiable);  second,  the  weights 
on  the  bottom  and  top  paths  are  uniform  (yet  the  diamonds  are  not  balanced),  which,  it 
can  be  shown,  causes  a  quadratic  growth  in  the  number  of  added  edges  and  constraints. 
This,  in  fact,  turned  out  to  be  the  bottleneck  of  our  procedure.  As  illustrated  in  the  table, 
Chaff  solved  all  SAT  instances  in  negligible  time,  while  the  procedure  for  generating 
the  CNF  formula  (titled  ‘CNF’)  became  less  and  less  efficient.  However,  in  all  cases 
except  the  last  one,  the  combined  run  time  of  our  procedure  was  faster  than  the  three 
theorem  provers  we  experimented  with.  In  a  second  batch  (not  listed  in  the  table),  we 
changed  all  weights  to  ‘  1  ’ .  This,  on  the  one  hand,  balanced  the  diamonds  (each  diamond 
‘collapsed’  into  a  single  chord  with  a  weight  S )  and  hence  resulted  in  linear  growth. 
On  the  other  hand,  it  made  the  formula  unsatisfiable,  because  all  paths  have  positive 
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accumulated  weight.  Generating  the  formula  became  easy  (less  than  a  second)  for  all 
instances,  while  there  was  no  significant  change  in  the  run  times  of  the  theorem  provers. 
The  table  in  Fig.  5  includes  results  for  7  cases.  The  results  clearly  demonstrate  the 
easiness  of  solving  the  propositional  encoding  in  comparison  with  the  original  formula. 
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Fig.  5.  Results  in  seconds,  when  applied  to  a  diamond-shaped  graphs  with  D  diamonds,  each  of 
size  S.  '*’  denotes  run  time  exceeding  104  sec. 


As  a  more  realistic  test,  we  experimented  with  formulas  that  are  generated  in  hard¬ 
ware  verification  problems.  To  generate  these  formulas  we  used  the  UCLID  verification 
tool  [7],  These  hardware  models  include  a  load-store  unit  from  an  industrial  micropro¬ 
cessor,  an  out-of-order  execution  unit,  and  a  cache  coherence  protocol.  The  formulas 
were  generated  by  symbolically  simulating  the  models  for  several  steps  starting  from 
an  initial  state,  and  checking  a  safety  property  at  the  end  of  each  step.  Fig.  6(a)  summa¬ 
rizes  these  results.  Finally,  we  also  solved  formulas  generated  during  symbolic  model 
checking  of  timed  systems.  These  examples  are  derived  from  a  railroad  crossing  gate 
controller  that  is  commonly  used  in  the  timed  systems  literature.  Fig.  6(b)  shows  the 
results  for  these  formulas. 
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